Like other cantonal data protection laws, the Bernese Data Protection Act (KDSG) is under revision, the consultation documents are here to find.
In view of the ongoing active discussion about outsourcing by public bodies, Art. 15 on the disclosure of personal data abroad (proposal of June 21, 2023) is particularly noteworthy. The following provision is proposed:
Art. 15 Disclosure abroad
1 The responsible authority may disclose personal data abroad if the fundamental right to data protection of the person concerned is adequately protected.
2 Adequate protection can be ensured by
a treaty under international law,
b a declaratory decision of the Federal Council in accordance with federal data protection legislation or
c other adequate guarantees.
3 By way of derogation from paragraphs 1 and 2, the responsible authority may disclose personal data abroad if
a the disclosure is necessary in individual cases for the protection of an overriding public interest,
b the data subject has expressly consented to the disclosure in the individual case or has made their personal data generally accessible and has not expressly prohibited processing,
c the disclosure is necessary to protect the life or physical or mental integrity of the data subject or a third party and it is not possible to obtain the data subject’s consent within a reasonable period of time, or
d (supplement for variant 2) the disclosure is made for the purpose of processing the order and the requirements are met.
The Government Council is therefore proposing two variants to the Grand Council – one variant that largely corresponds to what is known, and a second variant that allows disclosure to a country without an adequate level of protection even then, if it concerns order processing, which is very often the case, especially with the cloud services we are talking about here. The prerequisite is that the requirements for order processing are met. This is usually the case with the major cloud providers without any problems.
The justification for the proposed regulation, the so-called “proposal” (dated June 21, 2023), says the following:
Option 1 comprises Article 15(1) to (3)(a) to (c). It only provides for restrictive exceptions and gives greater weight to the fundamental right to data protection of the data subjects than to the public interests of the responsible authorities arising from the use of US cloud solutions.
In addition to Article 15(1) to (3)(a) to (c), variant 2 provides for a provides for a further exception in letter d, which is intended to facilitate the use of US cloud solutions. It gives greater weight to the public interests of the responsible authorities in the use of US cloud solutions than the interventions considered unlikely in this variant the fundamental rights of the persons concerned.
[…]Addition to variant 2: letter d
Virtually every public authority has a Twitter, YouTube or Instagram account and software solutions such as Zoom or Teams have been used regularly in the education sector since the coronavirus pandemic. The case law of the European Court of Justice on the level of data protection in the USA and the Federal Council’s subsequent assessment of this make it more difficult for the responsible authorities to use such services from US providers, as the decisive factor is whether the personal data is processed in Switzerland, the European Union or the USA. The Government Council of the Canton of Bern is therefore proposing a further exception in the consultation procedure, which does not require an adequate level of data protection for the disclosure abroad. This is intended to reflect reality and facilitate the use of US cloud solutions.
This deviating regulation vis-à-vis the Confederation and, as far as is known, also vis-à-vis the other cantons – includes a Locational advantage for the canton of Bern. The use of US cloud solutions should therefore be permitted if the requirements for processing on behalf are met. This would mean that the responsible authorities would only have to guarantee data security (Art. 12 para. 3 VE-KDSG). This is based on the risk of a violation of fundamental rights (Art. 10 para. 1 VE-KDSG). In this variant assumed that the data protection risks that may arise for data subjects from the use of US cloud solutions are of a theoretical nature and are hardly relevant in practice. On the other hand, there are major practical public interests in using the world’s best cloud solutions: They enable the authorities to achieve their digitization goals much more quickly, cost-effectively and in a more customer-friendly manner than with conventional, non-cloud-based software. The potentially easier access to data by foreign criminal authorities or intelligence services or the limited opportunities to take legal action against data protection violations abroad are weighted more heavily.
The use of US cloud software is the norm in both private and business environments. Almost everyone has an Apple, Microsoft or Google account and devices, and most businesses could no longer function without US cloud software. In this circumstance lies a Risk decision for society as a wholewhich is taken into account by the legislator in this variant: If almost all people and companies consider the risks under discussion to be proportionate and acceptable for themselves, then the canton can and should do the same for its population. In contrast to private individuals, public authorities are also bound by constitutional principles such as the principle of legality, which is why the situations are only comparable to a limited extent. Nevertheless, the canton should also be able to take the private risk assessment into account, which is why this variant is being submitted for consultation.
On the one hand, this proposal illustrates the practical needs of cantonal authorities in particular, but not only, which, like other organizations, are under pressure to push ahead with digitalization. On the other hand, it is, as far as can be seen, the first attempt to address the existing concerns, requirements and, above all, uncertainties by legislative means.
The authors of the proposal, the Directorate of Home Affairs and Justice, are obviously aware that this proposal is bold, as it has only been presented as a variant. The wording of the proposal also seems rather defensive, and the reference to the locational advantage is not very convincing as long as Zurich authorities cannot relocate their activities to Bern. Ultimately, the proposal postulates the normative power of the factual – not an argument from a legal perspective, but certainly from a legal policy perspective, as long as the practical necessities are sufficiently proven. The law does not operate in a vacuum, and the focus on data security is certainly expedient because it includes the prevention of unlawful access.
However, the proposal does not answer the The question of what level of data security against access by the authorities is indicated. Seen in this light, the variant merely shifts the focus of the issue from abroad to data security. This in itself does not solve any problems, but the discussion will perhaps, hopefully, become less tense.
The head of the Bernese data protection authority (Data Protection Authority, DSA), Ueli Buri, has been very critical of this. The variant violates constitutional and international lawlike him the Confederation quotes. However, this must be contradicted at least if the risk of access by the authorities must be reduced to an appropriate level by means of suitable security measures.
It should be noted that the idea of allowing disclosure abroad in the context of order processing without further requirements is not new. Bruno Baeriswyl, the then head of the Zurich data protection authority, had taken this view in the previous edition of the Stämpfli Handkommentar zum DSG (Art. 10a) because there was no disclosure in this case:
43 In doctrine and practice, it is argued that in the case of outsourcing abroad, Art. 6 FADP regarding the cross-border disclosure of data also applies. This view must be contradicted, as it is the outsourcing is not a data disclosure in the sense of data protection law […]. Full responsibility lies with the data processor who outsources the data processing; it is not (partially) transferred to the data recipient as in the case of data disclosure.